BlackShades Trojan users had it coming

Brian Krebs

The US Justice Department on Monday announced a series of actions against more than 100 people accused of purchasing and using BlackShades, a password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their webcams, steal files and account information, and log victims' keystrokes. While any effort that discourages the use of point-and-click tools for ill-gotten gains is a welcome development, the most remarkable aspect of this crackdown is that those who were targeted in this operation lacked any clue that it was forthcoming.

The product was sold via well-travelled and fairly open hacker forums, and even included an active user forum where customers could get help configuring and wielding the powerful surveillance tool. Although in recent years a licence to BlackShades sold for several hundred euros, early versions of the product were sold via PayPal for just US$40 ($43).

Related Content

In short, BlackShades was a tool created and marketed principally for buyers who wouldn't know how to hack their way out of a paper bag.

"After purchasing a copy of the RAT [remote administration tool], a user had to install the RAT on a victim's computer – that is, "infect" a victim's computer. The infection of a victim's computer could be accomplished in several ways, including by tricking victims into clicking on malicious links or by hiring others to install the RAT on victims' computers," the US Justice Department said in a statement.

Advertisement

"The RAT contained tools known as 'spreaders' that helped users of the RAT maximise the number of infections. The spreader tools generally worked by using computers that had already been infected to help spread the RAT further to other computers. For instance, in order to lure additional victims to click on malicious links that would install the RAT on their computers, the RAT allowed cybercriminals to send those malicious links to others via the initial victim's social media service, making it appear as if the message had come from the initial victim."

News that the FBI and other national law enforcement organisations had begun rounding up BlackShades customers started surfacing online last week, when multiple denizens of the noob-friendly hacker forum Hackforums[dot]net began posting firsthand experiences of receiving a visit from local authorities related to their prior alleged BlackShades use.

US authorities announce actions against more than 100 people accused of purchasing and using BlackShades. Photo: Getty Images/AFP

While there is a certain amount of schadenfreude in Monday's action, the truth is that any long-time BlackShades customer who didn't know this day would be coming should turn in his hacker card immediately. In June 2012, the US Justice Department announced a series of indictments against at least two dozen individuals who had taken the bait and signed up to be active members of "Carderprofit", a fraud forum that was created and maintained by the FBI.

Among those arrested in the CarderProfit sting was Michael Hogue, the alleged co-creator of BlackShades. That so many of the customers of this product are teenagers who wouldn't know a command line prompt from a hole in the ground is evident by the large number of users who vented their outrage over their arrests and/or visits by the local authorities on Hackforums, which by the way was the genesis of the CarderProfit sting from Day One.

In June 2010, Hackforums administrator Jesse Labrocca – also known as "Omniscient" – posted a message to all users of the forum, notifying them that the forum would no longer tolerate the posting of messages about ways to buy and use the ZeuS Trojan, a far more sophisticated remote-access Trojan that is heavily used by cybercriminals worldwide and has been implicated in the theft of hundreds of millions of dollars from small- to mid-sized businesses worldwide.

That warning alerted Hackforums users that henceforth any discussion about using or buying ZeuS was verboten on the site, and that those who wished to carry on conversations about this topic should avail themselves of a brand new forum that was being set up to accommodate them. And, of course, that forum was carderprofit[dot]eu.

In a press conference on Monday, the FBI said its investigation has shown that BlackShades was purchased by at least several thousand users in more than 100 countries and used to infect more than half a million computers worldwide. The US government alleges that one co-creator of BlackShades generated sales of more than $US350,000 between September 2010 and April 2014. Information about that individual and others charged in this case can be found at this link.